The End of Information Security
It has been two years since I re-launched this blog with the intent of using it as a platform for highlighting issues relating to technology, particularly with regard to encryption and IT security.
I’ve accomplished a lot in these two years, considering that everything has been done in my spare/slack time. I’ve written around fifteen technology articles for this blog, and another fifteen for my compatriots – digital rights and privacy campaigners OpenMedia. I attended town-hall events to give public comments regarding encryption, both to the Parliamentary Standing Committee on Public Safety and the Ministry of Public Safety’s Consultation on National Security – I came away from those events feeling that I had been able to directly influence the opinions of federal policymakers.
Today however, reading the news, and reflecting on the past two years, it also feels like I haven’t done a single goddamned thing.
After years of a status quo where we scarcely can go a few weeks without a newsworthy cybersecurity incident – whether it's a ransomware attack, a celebrity photo hack, the theft and leaking of TV show scripts, or a major data breach of a political campaign – we find ourselves in the aftermath of what may prove to be one of the most serious data breaches of all time: the Equifax hack.
Meanwhile, in the backdrop of what is arguably the worst two years in human history for infosec (I refuse to call it “cybersecurity”) we have law enforcement and government actively undermining infosec, by campaigning against encryption (a technology which is fundamentally necessary for infosec) and actively hoarding – rather than disclosing – zero-day vulnerabilities in software (which endangers everyone, including government, and which is directly responsible for the May 2017 ransomware attacks).
Though the most infuriating, maddening part of everything infosec is not the strident clamour of the technologically-ignorant and politically-authoritarian, but the apparent lack of support for this issue from the tech-savvy and forward-thinking people, who should realize that we’re watching yet another possible vector of our society’s demise – collapsing towards us like a tonne of bricks – and failing to do anything substantial about it.
It is ostensibly progressive, research-to-policy politicians who bafflingly voice platforms or even table legislation directed at (or directly affecting) technology and infosec seemingly without having talked to a single computer scientist or IT pro about the feasibility of what they’re proposing.
It is talking about infosec as if it is exclusively relevant as a means to protect civil liberties and citizens’ privacy – serving no other important purpose – when our government services, bank accounts, and perhaps the sanctity and sovereignty of our democratic processes, are also at risk.
Admittedly, many people are actively fighting for infosec: boingboing, the Electronic Frontier Foundation, TechDirt, Vice:Motherboard...
I feel, however, that we’ve all failed to get out core message through. While each may have their own precise (and equally valid) spin on what that message is, I have my own take:
Information security must be thought of as an infrastructural challenge, perhaps the greatest one our species will ever face. Unlike physical infrastructure – comprised of many connected but functionally distinct bridges, roads, and tunnels – infosec inherently functions as a single, connected ecosystem. When you undermine security of software or a system, it affects everyone on Earth using that software or system.
It would be foolish to understate how deeply dependant we are on our technology ecosystem at this point in history. It is our private personal data, financial systems, communications, power systems, government departments, autonomous vehicles, emergency response, voting machines, hospitals and medicine… need I go on? This is not a privacy issue, it is an everything issue. Everything we use, everything we depend on, is all at risk.
With the Equifax breach (and the company’s unapologetic, utterly lackluster response) we have officially entered the post-infosec era. More hacks (and worse hacks) are coming. More revelations (and worse revelations) about the effects of previous hacks, are also coming.
While out for a walk this past spring with a like-minded friend, we began to spin a yarn about how our movement – for digital rights, infosec, tech-activism, etc – is in some ways like the early environmental movement. Some of its supporters seem to be paranoid and anti-science – in extreme cases opposed to the very science that those of us attempting to influence public policy are advocating for. Like environmentalism, information security and digital rights are “evergreen” issues of good stewardship: issues that will never take care of themselves, and which we as a society will always need to be cognizant of and proactive upon.
But the way in which I fear infosec advocates are most unfortunately alike the environmentalist movement is this: we can't seem to make enough people listen. Even though the horrible consequences of everything in our society being dependant on technology, and none of that tech being adequately secure, are apparent to anyone who would look, it seems that our society will nonetheless ride directly into the apocalyptic consequences, smiling and unblinking, ignoring our own power and agency to avert disaster.
So how do we avert disaster?
We need to protect encryption under the law. We need to make hoarding zero-day vulnerabilities a crime. We need to pursue and prosecute criminal hackers, while at the same time protecting legitimate security researchers from prosecution. We need to throw more money at our IT systems and infrastructure. We need to condemn the denial of science and the willful ignorance of IT/compsci expertise. As with so many movements before this, We Need All The Infosec Things.
Or rather, we needed those things. Change does not happen overnight – as many of you are no doubt reproachfully thinking at me as you endure my impatient, critical rant. Unfortunately, the speed of technological progress and change isn’t waiting for us to catch up. Like our changing climate, change is upon us – here, whether we are ready for it or not. We live in an intrinsically technological, yet infosec-deficient, world. If it takes us another two years to make the policy improvements which any sensible IT pro or computer scientist would say our world needs right now, then I shudder to think where we’ll be in two years. How much worse will things get before we even begin to attempt improvement? For the time being, we've made our bed, and now we'll have to lie in it.
Welcome to the End of Infosec.
In the words of a fictional IT pro: Hold onto your butts.